We ‘go phishing’ with Paul Calatayud, Chief Information Security and Privacy Officer at Aqua Security, who tells us about life inside and outside the office.
What would you describe as your biggest achievement in the cybersecurity industry?
My biggest achievement is the brand of trust I have instilled in the organisations I have worked in, to the point where I don’t have to defend the plans or decisions I bring to the table.
I’ve been successful in creating a positive culture that unifies the team to strive and deliver the very best for our customers so that their confidence in us remains unwavering. It’s easier said than done, something that takes years to build and a second to break, but an unmatched quality that is indispensable – particularly in the field of security.
What first made you think of a career in cybersecurity?
In high school, I was learning computer science and software development and then I decided to enlist in the army. I told the recruiters one thing: ‘I want to do something with computers – not software development – something a little more hands-on…’
I’ve now been in cyber for more than 20 years and can honestly say I’ve never looked back.
What style of management philosophy do you employ with your current position?
My management philosophy is what I like to call ‘transformational leadership’. I’ll set out the mission and lead the charge but not dictate how we get there – I want to allow room for creativity and enable team members to take ownership and innovate their ideas.
What do you think is the current hot cybersecurity talking point?
Many organisations in a post-pandemic world are trying to reinvent themselves, taking on security learnings from the remote work surge and reprioritising resources to strengthen cybersecurity.
I think the hot cybersecurity talking point will centre around trust and sustainable innovation, which is what it takes for a concept or a technology to catch on and become mainstream. It has to be trustworthy. An innovation really becomes mainstream when we blindly trust or accept the tech to do what it’s expected to do.
How do you deal with stress and unwind outside the office?
Outside of work, I like to ‘unplug’ and enjoy the outdoors, particularly snowmobiling in the wintertime.
I also enjoy woodworking, home building and construction. I have taken on many of my own DIY and big build projects that have involved me tearing down parts of my home, redesigning and rebuilding it.
If you could go back and change one career decision, what would it be?
I would change an experience I had at a data centre in Chicago. I was asked to rebuild the cabling, which was a real mess. It was early in my career and I walked in and bumped the servers and inadvertently took down the entire network.
What do you currently identify as the major areas of investment in the cybersecurity industry?
I think there are three areas of hot investment right now.
The first is in identity. As organisations depend less and less on networks and infrastructure and cloud computing becomes the new norm, people’s trust will shift towards the identity of individuals behind the keyboard. Identity is very important and I think it will become an area of continuous growth and investment.
The second area of significant investment is cloud security – specifically cloud native security. It’s a very hot market and we’ll continue to see it grow to a point where it’s going to surpass markets of network and traditional legacy.
The third is data itself. A hot investment opportunity lies in behaviour analytics and Machine Learning – a booming market in cybersecurity that is only in its infancy right now.
Are there any differences in the way cybersecurity challenges need to be tackled in the different regions?
There is a presumption that there are different needs or requirements to cybersecurity in different regions, but the reality is if you’re on the Internet, there’s the same level of cyber-risk.
There is a concerning ‘we are untouchable’ mindset in some regions that feel isolated from a cultural point of view, but that’s not the reality. When I was in the Bahamas and in Hawaii, there was this sentiment that because they are on an island and detached from the mainland, this translated into their interpretation of being at a low digital risk. There are no borders on the Internet, we all exist on one plane.
What changes to your job role have you seen in the last year and how do you see these developing in the next 12 months?
One of the biggest shifts in the next 12 months I think will be where the CISO sits in the organisation and the function that they serve. Historically, the CISO reported to the CIO and it was a network security focused role partnering with IT. Fast-forward to today, the world is driven by data and the job of the CISO has broadened to cover risk and concepts that go beyond infrastructure.
At a minimum, the responsibility of the CISO is to protect the business on all fronts – from Business Continuity to ransomware attacks to geopolitical risk and everything in between. What’s more, a big part of the role is educating customers, building trust and gaining customer confidence. We are in a very crowded and competitive market, so the big differentiator for customers will inevitably keep coming down to ‘do I trust you?’ This sentiment will only become more important to customers in years to come and it’s the CISO’s job to invoke this sense of trust. I think the scope of the role will continue to evolve – perhaps even with a change in title to become ‘Chief Trust Officer’.
What advice would you offer somebody aspiring to obtain a C-level position in the security industry?
My advice would be to broaden your understanding of the people around you, as that will determine the success you have in the partnerships you hold as a C-level executive.
Get to know your team, what motivates them and how they navigate challenges and simultaneously get deeply acquainted with your customers to understand their needs and their business objectives.